CN111475524A - Data processing method and device based on interceptor and computer equipment - Google Patents
Data processing method and device based on interceptor and computer equipment Download PDFInfo
- Publication number
- CN111475524A CN111475524A CN202010148232.7A CN202010148232A CN111475524A CN 111475524 A CN111475524 A CN 111475524A CN 202010148232 A CN202010148232 A CN 202010148232A CN 111475524 A CN111475524 A CN 111475524A
- Authority
- CN
- China
- Prior art keywords
- specified
- interceptor
- request
- encrypted
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims abstract description 41
- 238000004590 computer program Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 description 23
- 230000004048 modification Effects 0.000 description 14
- 238000012986 modification Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 11
- 230000009466 transformation Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000001131 transforming effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000002715 modification method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data processing method, a data processing device and computer equipment based on an interceptor, wherein the method comprises the steps of adding a configuration file in a first designated directory of an application system, receiving an input encrypted jar packet, adding configuration information carried in the encrypted jar packet into the configuration file, configuring a designated interceptor in the application system, intercepting an SQ L request to be executed through the designated interceptor, and after the interception of the SQ L request is successful, performing encryption processing and decryption processing on designated parameters corresponding to the configuration information in the SQ L request.
Description
Technical Field
The application relates to the technical field of information security, in particular to a data processing method and device based on an interceptor and computer equipment.
Background
With the rapid development of science and technology, the upgrading speed of the application system is faster and faster, but some data security problems of the application system are continuously revealed, so that the requirement for data security protection of the application system is stronger and stronger. In the prior art, a modification method for performing security modification on data of an application system usually relies on application codes of the application system itself to perform encryption and decryption processing on important data in the application system. Specifically, the application system needs to be upgraded correspondingly, that is, the application code of the application system itself needs to be modified in relation to the upgrade. And then, carrying out encryption and decryption processing on the upgraded application system, for example, coupling some cases written by developers for data encryption and decryption into the modified application code to complete the secure modification of the data of the application system. However, the code amount of the application system is usually large, so that time and labor are easily consumed when the application system is safely transformed by adopting the transformation mode, the transformation cost is high, and the transformation efficiency is low.
Disclosure of Invention
The application mainly aims to provide a data processing method and device based on an interceptor and computer equipment, and aims to solve the technical problems that the existing modification mode is easy to consume time and labor when the application system is modified safely, the modification cost is high, and the modification efficiency is low.
The application provides a data processing method based on an interceptor, which comprises the following steps:
adding a configuration file under a first appointed directory of an application system;
receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a designated interceptor within the application system;
intercepting a SQ L request to be executed through the specified interceptor, and after successfully intercepting the SQ L request, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
Optionally, the step of configuring the designated interceptor in the application system includes:
acquiring a specified file under a second specified directory of the application system;
adding a first code for configuring the first interceptor in a specified label under the specified file; and the number of the first and second groups,
adding a second code for configuring the second interceptor in the designated tag.
Optionally, the intercepting, by the interceptor, a SQ L request to be executed, and after the intercepting of the SQ L request is successful, performing encryption processing and decryption processing on a specified parameter corresponding to the configuration information in the SQ L request includes:
judging whether a preset encryption switch is turned on or not;
if the preset encryption switch is judged to be turned on, intercepting the SQ L request through the first interceptor;
after the SQ L request is successfully intercepted, encryption processing is carried out on the specified parameters in the SQ L request according to a first preset rule, and the encrypted specified parameters are obtained;
after a preset time period for completing the encryption processing of the specified parameters is executed, judging whether a preset decryption switch is turned on or not;
if the preset decryption switch is judged to be turned on, the second interceptor is used for re-intercepting the SQ L request;
after the re-interception of the SQ L request is successful, extracting the encrypted specified parameters from the SQ L request;
and decrypting the encrypted specified parameters to obtain a corresponding decryption result.
Optionally, the step of encrypting the specified parameter in the SQ L request according to a first preset rule to obtain an encrypted specified parameter includes:
judging whether a specified table exists in the SQ L request, wherein the specified table is a table to be encrypted;
if the SQ L request is judged to have a specified table, acquiring the data type of the specified table;
according to the data type, adapting the parameter type of the specified table to the specified parameter type corresponding to the data type to obtain an adapted specified table;
judging whether a designated field exists in the adapted designated table, wherein the designated field is a field to be encrypted;
and if the appointed field exists in the matched appointed table, encrypting the appointed field according to a second preset rule to obtain the encrypted appointed field.
Optionally, the step of encrypting the specified field according to a second preset rule to obtain an encrypted specified field includes:
calling a first interface of a key management service of the application system to create a master key;
calling a second interface of the key management service to create a data key, so as to encrypt the data key by using the master key through the key management service, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
and encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
Optionally, after the step of encrypting the specified field by using the plaintext data key to obtain an encrypted specified field, the method includes:
deleting a local plaintext data key of the application system;
and storing the ciphertext data key and the encrypted specified field.
Optionally, the step of decrypting the encrypted specified parameter to obtain a corresponding decryption result includes:
reading the ciphertext data key;
calling a third interface of the key management service, and decrypting the ciphertext data key into a corresponding specified plaintext data key;
and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
The present application further provides a data processing apparatus based on an interceptor, including:
the adding module is used for adding configuration files under a first appointed directory of the application system;
the adding module is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
a configuration module for configuring a designated interceptor within the application system;
and the processing module is used for intercepting the SQ L request to be executed through the specified interceptor, and after the interception of the SQ L request is successful, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
The present application further provides a computer device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the above method when executing the computer program.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method.
The data processing method and device based on the interceptor, the computer equipment and the storage medium have the following beneficial effects:
according to the data processing method, the device, the computer equipment and the storage medium based on the interceptors, the configuration file is added under a first designated directory of an application system, the input encrypted jar packet is received, the configuration information carried in the encrypted jar packet is added into the configuration file, the designated interceptor is configured in the application system, the SQ L request to be executed is intercepted through the designated interceptor, and after the interception of the SQ L request is successful, the designated parameters corresponding to the configuration information in the SQ L request are encrypted and decrypted.
Drawings
FIG. 1 is a schematic flow chart of an interceptor-based data processing method according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of an interceptor-based data processing apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It should be noted that all directional indicators (such as upper, lower, left, right, front and rear … …) in the embodiments of the present application are only used to explain the relative position relationship between the components, the movement situation, etc. in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indicator is changed accordingly, and the connection may be a direct connection or an indirect connection.
Referring to fig. 1, a data processing method based on an interceptor according to an embodiment of the present application includes:
s1: adding a configuration file under a first appointed directory of an application system;
s2: receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
s3: configuring a designated interceptor within the application system;
and S4, intercepting the SQ L request to be executed through the specified interceptor, and after the interception of the SQ L request is successful, carrying out encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
In practical applications, the interceptor-based data processing apparatus may be implemented by a virtual device, such as software code, or by an entity device into which related execution code is written or integrated, and the interceptor-based data processing apparatus of this embodiment can quickly and conveniently implement secure modification of related data in an application system, where the related data is specifically specified parameters included in an SQ L request of an application system server (i.e., an application server of the application system).
Specifically, a configuration file is added under a first specified directory of an application system, wherein the first specified directory can be modules/fintelligen-common/resource/, and the configuration file is specifically encrypt.Properties file, after the addition of the configuration file is completed, an encrypted jar packet input by a developer is received, and configuration information carried in the encrypted jar packet is added into the configuration file, wherein the configuration information specifically comprises information such as an encryption table, an encryption field, an encryption switch, a DTO base class, a paging object, an encryption key, relevant configuration of key management service, and the like, after the addition of the configuration information is completed, a specified interceptor is configured in the application system, and then the interception is performed on an SQ L request to be executed in an application system server by using the specified interceptor.
The embodiment abandons the existing mode of safely transforming the data of the application system based on the application code, innovatively configures and uses the designated interceptor in the application system to quickly and conveniently execute encryption processing and decryption processing aiming at the designated parameters corresponding to the configuration information, and the encryption processing and the decryption processing are both carried out under the condition of transparent application, so that the implementation process of safely transforming the designated parameters is more flexible and concise, the transformation cost of the application system is effectively reduced, the transformation efficiency of the designated parameters is improved, the structure of the application system and the complexity of code transformation of the encryption and decryption service are reduced, and the transformation power of the application system is improved.
Further, in an embodiment of the present application, the step S3 includes:
s300: acquiring a specified file under a second specified directory of the application system;
s301: adding a first code for configuring the first interceptor in a specified label under the specified file; and the number of the first and second groups,
s302: adding a second code for configuring the second interceptor in the designated tag.
As described in the foregoing steps S300 to S302, the designated interceptor includes a first interceptor and a second interceptor, and the step of building the designated interceptor in the application system may specifically include: firstly, acquiring a specified file under a second specified directory of the application system, wherein the second specified directory can be modules/fintelligen-report/core/mybasic/, and the specified file can be mybasic-config-ensemble.
The first interceptor may be named a parameter handler interceptor, and is configured to intercept a specified parameter included in an SQ L request executed in the application server when the application system is running, so as to encrypt the specified parameter later, and add a second code for configuring the second interceptor in the specified label under the specified file, where the second code may be named an interceptor which is used for decrypting the specified parameter later when the application system is running, and the second code may be named an interceptor L which is used for decrypting the specified parameter later when the application system is running.
In this embodiment, the first code and the second code are configured under the specified label of the specified file, so that the first interceptor and the second interceptor for quickly and conveniently performing encryption processing and decryption processing on the related data to be subjected to security modification processing are successfully configured in the application system, so that the security modification implementation process of the specified parameter corresponding to the configuration information in the SQ L request is more flexible and concise, and the complexity of the encryption and decryption service on the application system and the complexity of code modification are effectively reduced.
Further, in an embodiment of the present application, the step S4 includes:
s400: judging whether a preset encryption switch is turned on or not;
s401, if the preset encryption switch is judged to be turned on, intercepting the SQ L request through the first interceptor;
s402, after the interception of the SQ L request is successful, encryption processing is carried out on the specified parameters in the SQ L request according to a first preset rule, and the encrypted specified parameters are obtained;
s403: after a preset time period for completing the encryption processing of the specified parameters is executed, judging whether a preset decryption switch is turned on or not;
s404, if the preset decryption switch is judged to be turned on, re-intercepting the SQ L request through the second interceptor;
s405, after the request for the SQ L is intercepted successfully, extracting the encrypted specified parameters from the SQ L request;
s406: and decrypting the encrypted specified parameters to obtain a corresponding decryption result.
As described in the foregoing steps S400 to S406, the intercepting, by the interceptor, the step of intercepting the SQ L request to be executed and performing encryption processing and decryption processing on the specified parameter corresponding to the configuration information in the SQ L request after the intercepting of the SQ L request is successful may specifically include determining whether a preset encryption switch is turned on, where the encryption switch is a control field in the configuration information for controlling whether encryption processing is required on the parameter, if the encryption switch is turned on, indicating that there is a need to encrypt the specified parameter, intercepting, by the first interceptor, the SQ L request, and after the intercepting of the SQ L request is successful, performing encryption processing on the specified parameter in the SQ L request according to a first preset rule, to obtain the encrypted specified parameter.
The specified parameter may be encrypted by using a Key Management Service KMS (Key Management Service), or may be encrypted by using another encryption technology. The KMS is a safety management service, can easily create and manage keys, protects the confidentiality, integrity and availability of the keys, meets the key management requirements of multiple applications and multiple services of users, and meets the requirements of supervision and compliance. And after the preset time period for completing the encryption processing of the specified parameters is executed, judging whether a preset decryption switch is turned on or not. The preset time period is not particularly limited, and may be, for example, 2 minutes.
If the decryption switch is turned on, which indicates that there is a need to decrypt the encrypted specified parameter in the SQ L request, the second interceptor re-intercepts the SQ L request, extracts the encrypted specified parameter from the SQ L request after the re-interception of the SQ L request is successful, finally decrypts the encrypted specified parameter to obtain a corresponding decryption result, and can further return the decryption result.
The decryption method for decrypting the encrypted specified parameter corresponds to the encryption method for encrypting the specified parameter, for example, if the specified parameter is encrypted by using the encryption method of the key management service, the encrypted specified parameter is decrypted by using the decryption method of the corresponding key management service to obtain the corresponding decryption result.
The embodiment can intercept the SQ L request through the first interceptor and the second interceptor which are configured in advance, transparently encrypt the specified parameters in the SQ L request according to the preset on condition of the encryption switch, and decrypt the encrypted specified parameters in the SQ L request according to the preset on condition of the decryption switch, so as to realize the secure modification of the related data in the application system, and effectively reduce the complexity of the encryption and decryption service to the structure and code modification of the application system.
Further, in an embodiment of the application, the step S402 includes:
s4020, judging whether a specified table exists in the SQ L request, wherein the specified table is a table to be encrypted;
s4021, if judging that the SQ L request has a specified table, acquiring the data type of the specified table;
s4022: according to the data type, adapting the parameter type of the specified table to the specified parameter type corresponding to the data type to obtain an adapted specified table;
s4023: judging whether a designated field exists in the adapted designated table, wherein the designated field is a field to be encrypted;
s4024: and if the appointed field exists in the matched appointed table, encrypting the appointed field according to a second preset rule to obtain the encrypted appointed field.
As described in the above steps S4020 to S4024, the step of encrypting the specified parameter in the SQ L request according to the first preset rule to obtain the encrypted specified parameter may specifically include first determining whether the SQ L request has a specified table, where the specified table is a table to be encrypted, that is, a table that needs to be encrypted, and if table information corresponding to the specified table exists in the configuration information, determining that the specified table is a table that needs to be encrypted, and if the SQ L request has a specified table, obtaining a data type of the specified table, where the data type may specifically be map, string, or the like.
For example, if the data type is map, the specified parameter type is also map. And then judging whether a designated field exists in the adapted designated table, wherein the designated field is a field to be encrypted, namely a field needing to be encrypted, and if field information corresponding to the designated field exists in the configuration information, judging that the designated field is the field needing to be encrypted. And if the appointed field exists in the adapted appointed table, encrypting the appointed field according to a second preset rule to obtain the encrypted appointed field.
In the embodiment, the SQ L request can be intercepted through a first pre-configured interceptor, and then the specified parameters in the SQ L request are encrypted through the key management service or other encryption technologies, so that transparent encryption of the specified parameters in the SQ L request is quickly and conveniently realized, and the complexity of the encryption service on the structure and code modification of an application system is effectively reduced.
Further, in an embodiment of the present application, the step S4024 includes:
s40240: calling a first interface of a key management service of the application system to create a master key;
s40241: calling a second interface of the key management service to create a data key, so as to encrypt the data key by using the master key through the key management service, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
s40242: and encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
As described in the above steps S40240 to S40242, the present embodiment may specifically perform encryption processing and decryption processing on the related parameter data requested by the SQ L executed in the application system by using the key management service KMS in combination, so as to implement security protection on the related parameter data, and effectively ensure that even if the application configuration is leaked or the data is leaked, a lawbreaker cannot acquire the related parameter data subjected to the encryption processing in the cracked application system.
Specifically, the step of encrypting the specified field according to the second preset rule to obtain an encrypted specified field may include: first, a first interface of a key management service of the application system is called to create a master key. The key management service may be installed in an application system in advance. The first interface may specifically be a CreateKey interface, where the CreateKey interface is a special interface for generating a master key, and when the CreateKey interface is called, a master key is created for a user by default, or the master key may be created through a KMS console. In addition, after the creation of the master key is completed, an alias can be further added to the master key, and the specific content of the alias is not particularly limited and can be set according to the personal actual needs of the user. If the user does not alias the master key, the ID of the master key is used directly as its alias. And then calling a second interface of the key management service to create a data key, so as to encrypt the data key by using the master key through the key management service, and return a plaintext data key and a ciphertext data key corresponding to the data key. The second interface may be a GenerateDataKey interface, where the GenerateDataKey interface is a special interface for generating a data key, and when the GenerateDataKey interface is called, the GenerateDataKey interface is default to generate the data key for the user online, and specific data included in the generated data key is random.
After the plaintext data key is obtained, the plaintext data key is used for encrypting the specified field, and the encrypted specified field is further obtained, so that the safe encryption protection of the specified field in the SQ L request of the application system by using the key management service is effectively realized.
In an embodiment of the present application, after step S40242, the method includes:
s40243: deleting a local plaintext data key of the application system;
s40244: and storing the ciphertext data key and the encrypted specified field.
As described in steps S40243 to S40244, the key management service encrypts the data key using the master key, and returns a ciphertext data key corresponding to the data key in addition to a plaintext data key corresponding to the data key. After the specified field is encrypted by using the plaintext data key, it is necessary to further perform corresponding deletion or storage processing on the local plaintext data key, the ciphertext data key, and the encrypted specified field, so that decryption processing on the encrypted specified field can be performed smoothly in the subsequent processing.
Specifically, after the step of encrypting the specified field by using the plaintext data key to obtain the encrypted specified field, the method further includes: firstly, deleting a local plaintext data key of an application system, and then storing the ciphertext data key and the encrypted specified field.
Further, in an embodiment of the present application, the step S405 includes:
s4050: reading the ciphertext data key;
s4051: calling a third interface of the key management service, and decrypting the ciphertext data key into a corresponding specified plaintext data key;
s4052: and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
As described in steps S4050 to S4052, after the key management service is used to encrypt the specified field to obtain the encrypted specified field, the embodiment may further use the key management service to decrypt the encrypted specified field according to the preset turning-on condition of the decryption switch, so as to output the required decryption result.
Specifically, the step of performing decryption processing on the encrypted specified parameter to obtain a corresponding decryption result includes: firstly, the ciphertext data key is read. After the specified field is encrypted by using the plaintext data key, the ciphertext data key and the encrypted specified field are stored locally, so that the ciphertext data key can be read locally subsequently. After the ciphertext data key is read, a third interface of the key management service is called, and the ciphertext data key stored locally is decrypted into a corresponding specified plaintext data key. The third interface may be a Decrypt interface, where the Decrypt interface is a special interface for decryption, and the Decrypt interface may Decrypt data directly encrypted by the key management service, that is, may Decrypt a ciphertext (that is, the ciphertext data key) of the data key generated by the second interface (the GenerateDataKey interface) according to the data key.
After the appointed plaintext data key is obtained, the appointed plaintext data key is used for decrypting the encrypted appointed field so as to obtain a corresponding decryption result, the appointed plaintext data key stored in the local place is further deleted after the decryption result is obtained, the decryption result can also be returned, so that the transparent decryption process of the appointed field encrypted in the SQ L request can be conveniently and quickly completed, and the complexity of the encryption and decryption service on the structure and code modification of an application system is effectively reduced.
Referring to fig. 2, an embodiment of the present application further provides an interceptor-based data processing apparatus, including:
the adding module 1 is used for adding configuration files under a first specified directory of an application system;
the adding module 2 is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
a configuration module 3, configured to configure a designated interceptor within the application system;
and the processing module 4 is configured to intercept, by using the specified interceptor, an SQ L request to be executed, and perform encryption processing and decryption processing on a specified parameter corresponding to the configuration information in the SQ L request after the SQ L request is successfully intercepted.
In this embodiment, the implementation processes of the functions and actions of the add module, the configuration module, and the processing module in the data processing apparatus based on an interceptor are specifically described in the implementation processes corresponding to steps S1 to S4 in the data processing method based on an interceptor, and are not described herein again.
Further, in an embodiment of the present application, the configuration module includes:
the acquisition submodule is used for acquiring the specified file under the second specified directory of the application system;
a first adding submodule, configured to add a first code for configuring the first interceptor in a specified tag under the specified file; and the number of the first and second groups,
and the second adding submodule is used for adding a second code for configuring the second interceptor in the specified label.
In this embodiment, the implementation processes of the functions and actions of the obtaining sub-module, the first adding sub-module, and the second adding sub-module in the data processing apparatus based on the interceptor are specifically described in the implementation processes corresponding to steps S300 to S302 in the data processing method based on the interceptor, and are not described herein again.
Further, in an embodiment of the present application, the processing module includes:
the first judgment submodule is used for judging whether a preset encryption switch is started or not;
the first interception submodule is used for intercepting the SQ L request through the first interceptor if the preset encryption switch is judged to be turned on;
the encryption submodule is used for carrying out encryption processing on the specified parameters in the SQ L request according to a first preset rule after the interception of the SQ L request is successful, so that the encrypted specified parameters are obtained;
the second judgment submodule is used for judging whether a preset decryption switch is turned on or not after the preset time period for completing the encryption processing of the specified parameters is executed;
the second interception submodule is used for re-intercepting the SQ L request through the second interceptor if the preset decryption switch is judged to be turned on;
the extraction submodule is used for extracting the encrypted specified parameters from the SQ L request after the interception of the SQ L request is successful;
and the decryption submodule is used for decrypting the encrypted specified parameters to obtain a corresponding decryption result.
In this embodiment, the implementation process of the functions and functions of the first determining submodule, the first intercepting submodule, the encrypting submodule, the second determining submodule, the second intercepting submodule, the extracting submodule and the decrypting submodule in the data processing apparatus based on the interceptor is specifically described in the implementation process corresponding to steps S400 to S406 in the data processing method based on the interceptor, and is not described herein again.
Further, in an embodiment of the present application, the encryption sub-module includes:
a first judging unit, configured to judge whether a specified table exists in the SQ L request, where the specified table is a table to be encrypted;
the acquisition unit is used for acquiring the data type of a specified table if judging that the specified table exists in the SQ L request;
the adaptation unit is used for adapting the parameter type of the specified table to the specified parameter type corresponding to the data type according to the data type to obtain an adapted specified table;
a second judging unit, configured to judge whether a specified field exists in the adapted specified table, where the specified field is a field to be encrypted;
and the encryption unit is used for encrypting the designated field according to a second preset rule if the designated field exists in the adapted designated table, so as to obtain the encrypted designated field.
In this embodiment, the implementation processes of the functions and actions of the first determining unit, the obtaining unit, the adapting unit, the second determining unit and the encrypting unit in the data processing apparatus based on an interceptor are specifically described in the implementation processes corresponding to steps S4020 to S4024 in the data processing method based on an interceptor, and are not described herein again.
Further, in an embodiment of the present application, the encryption unit includes:
the first creating subunit is used for calling a first interface of the key management service of the application system to create a master key;
the second creation subunit is configured to invoke a second interface of the key management service to create a data key, encrypt the data key by using the master key through the key management service, and return a plaintext data key and a ciphertext data key corresponding to the data key;
and the encryption subunit is used for encrypting the specified field by using the plaintext data key to obtain the encrypted specified field.
In this embodiment, the implementation processes of the functions and functions of the first creating subunit, the second creating subunit, and the encryption subunit in the data processing apparatus based on the interceptor are specifically described in the implementation processes corresponding to steps S40240 to S40242 in the data processing method based on the interceptor, and are not described herein again.
Further, in an embodiment of the present application, the encryption unit includes:
the deleting subunit is used for deleting the local plaintext data key of the application system;
and the storage subunit is used for storing the ciphertext data key and the encrypted specified field.
In this embodiment, the implementation process of the functions and functions of the deletion subunit and the storage subunit in the data processing apparatus based on the interceptor is specifically described in the implementation processes corresponding to steps S40243 to S40244 in the data processing method based on the interceptor, and is not described herein again.
Further, in an embodiment of the present application, the decryption sub-module includes:
a reading unit, configured to read the ciphertext data key;
the first decryption unit is used for calling a third interface of the key management service and decrypting the ciphertext data key into a corresponding specified plaintext data key;
and the second decryption unit is used for decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
In this embodiment, the implementation processes of the functions and functions of the reading unit, the first decryption unit, and the second decryption unit in the data processing apparatus based on the interceptor are specifically described in the implementation processes corresponding to steps S4050 to S4052 in the data processing method based on the interceptor, and are not described herein again.
Referring to fig. 3, a computer device, which may be a server and whose internal structure may be as shown in fig. 3, is also provided in the embodiment of the present application. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is designed to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing data such as configuration files, encrypted jar packets and configuration information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an interceptor-based data processing method.
The processor executes the steps of the interceptor-based data processing method:
adding a configuration file under a first appointed directory of an application system;
receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a designated interceptor within the application system;
intercepting a SQ L request to be executed through the specified interceptor, and after successfully intercepting the SQ L request, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
Those skilled in the art will appreciate that the structure shown in fig. 3 is only a block diagram of a part of the structure related to the present application, and does not constitute a limitation to the apparatus and the computer device to which the present application is applied.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for processing data based on an interceptor is implemented, specifically:
adding a configuration file under a first appointed directory of an application system;
receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a designated interceptor within the application system;
intercepting a SQ L request to be executed through the specified interceptor, and after successfully intercepting the SQ L request, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
In summary, according to the data processing method, the device, the computer equipment and the storage medium based on the interceptors provided in the embodiment of the application, the configuration file is added under the first designated directory of the application system, the input encrypted jar packet is received, the configuration information carried in the encrypted jar packet is added into the configuration file, the designated interceptor is configured in the application system, the SQ L request to be executed is intercepted through the designated interceptor, and after the interception of the SQ L request is successful, the encryption processing and the decryption processing are performed on the designated parameters corresponding to the configuration information in the SQ L request.
It will be understood by those of ordinary skill in the art that all or a portion of the processes of the methods of the embodiments described above may be implemented by hardware that is instructed to be associated with a computer program that may be stored on a non-volatile computer-readable storage medium that, when executed, may include the processes of the embodiments of the methods described above, wherein any reference to memory, storage, database or other medium provided herein and used in the embodiments may include non-volatile and/or volatile memory.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.
Claims (10)
1. A data processing method based on an interceptor is characterized by comprising the following steps:
adding a configuration file under a first appointed directory of an application system;
receiving an input encrypted jar packet, and adding configuration information carried in the encrypted jar packet into the configuration file;
configuring a designated interceptor within the application system;
intercepting a SQ L request to be executed through the specified interceptor, and after successfully intercepting the SQ L request, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
2. The interceptor-based data processing method of claim 1, wherein the designated interceptor comprises a first interceptor and a second interceptor, and wherein the step of configuring the designated interceptor within the application system comprises:
acquiring a specified file under a second specified directory of the application system;
adding a first code for configuring the first interceptor in a specified label under the specified file; and the number of the first and second groups,
adding a second code for configuring the second interceptor in the designated tag.
3. The interceptor-based data processing method of claim 2, wherein the intercepting, by the interceptor, a SQ L request to be executed and, after the intercepting of the SQ L request is successful, performing encryption and decryption processing on a specified parameter corresponding to the configuration information in the SQ L request comprises:
judging whether a preset encryption switch is turned on or not;
if the preset encryption switch is judged to be turned on, intercepting the SQ L request through the first interceptor;
after the SQ L request is successfully intercepted, encryption processing is carried out on the specified parameters in the SQ L request according to a first preset rule, and the encrypted specified parameters are obtained;
after a preset time period for completing the encryption processing of the specified parameters is executed, judging whether a preset decryption switch is turned on or not;
if the preset decryption switch is judged to be turned on, the second interceptor is used for re-intercepting the SQ L request;
after the re-interception of the SQ L request is successful, extracting the encrypted specified parameters from the SQ L request;
and decrypting the encrypted specified parameters to obtain a corresponding decryption result.
4. The interceptor-based data processing method of claim 3, wherein the step of encrypting the specified parameter in the SQ L request according to a first predetermined rule to obtain the encrypted specified parameter comprises:
judging whether a specified table exists in the SQ L request, wherein the specified table is a table to be encrypted;
if the SQ L request is judged to have a specified table, acquiring the data type of the specified table;
according to the data type, adapting the parameter type of the specified table to the specified parameter type corresponding to the data type to obtain an adapted specified table;
judging whether a designated field exists in the adapted designated table, wherein the designated field is a field to be encrypted;
and if the appointed field exists in the matched appointed table, encrypting the appointed field according to a second preset rule to obtain the encrypted appointed field.
5. The interceptor-based data processing method of claim 4, wherein the step of encrypting the designated field according to a second predetermined rule to obtain an encrypted designated field comprises:
calling a first interface of a key management service of the application system to create a master key;
calling a second interface of the key management service to create a data key, so as to encrypt the data key by using the master key through the key management service, and returning a plaintext data key and a ciphertext data key corresponding to the data key;
and encrypting the appointed field by using the plaintext data key to obtain the encrypted appointed field.
6. The interceptor-based data processing method of claim 5, wherein the step of encrypting the specified field using the plaintext data key to obtain an encrypted specified field is followed by:
deleting a local plaintext data key of the application system;
and storing the ciphertext data key and the encrypted specified field.
7. The interceptor-based data processing method of claim 6, wherein the step of decrypting the encrypted specific parameter to obtain the corresponding decryption result comprises:
reading the ciphertext data key;
calling a third interface of the key management service, and decrypting the ciphertext data key into a corresponding specified plaintext data key;
and decrypting the encrypted specified field by using the specified plaintext data key to obtain a corresponding decryption result.
8. An interceptor-based data processing apparatus, comprising:
the adding module is used for adding configuration files under a first appointed directory of the application system;
the adding module is used for receiving an input encrypted jar packet and adding configuration information carried in the encrypted jar packet into the configuration file;
a configuration module for configuring a designated interceptor within the application system;
and the processing module is used for intercepting the SQ L request to be executed through the specified interceptor, and after the interception of the SQ L request is successful, performing encryption processing and decryption processing on specified parameters corresponding to the configuration information in the SQ L request.
9. A computer device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method according to any one of claims 1 to 7.
10. A storage medium having a computer program stored thereon, the computer program, when being executed by a processor, realizing the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148232.7A CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010148232.7A CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111475524A true CN111475524A (en) | 2020-07-31 |
| CN111475524B CN111475524B (en) | 2024-05-28 |
Family
ID=71748161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010148232.7A Active CN111475524B (en) | 2020-03-05 | 2020-03-05 | Data processing method and device based on interceptor and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111475524B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221152A (en) * | 2021-05-31 | 2021-08-06 | 中国农业银行股份有限公司 | Data processing method, device, apparatus, storage medium, and program |
| CN114915495A (en) * | 2022-07-05 | 2022-08-16 | 浙江华东工程数字技术有限公司 | Message encryption and decryption method supporting multi-algorithm switching |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN115134152A (en) * | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | Data transmission method, data transmission device, storage medium, and electronic apparatus |
| CN115643063A (en) * | 2022-10-12 | 2023-01-24 | 平安银行股份有限公司 | Message data processing method and device, electronic equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
| US20140359302A1 (en) * | 2013-05-30 | 2014-12-04 | Dell Products L.P. | System and Method for Intercept of UEFI Block I/O Protocol Services for BIOS Based Hard Drive Encryption Support |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN108804644A (en) * | 2018-06-05 | 2018-11-13 | 中国平安人寿保险股份有限公司 | Interface log storing method, device, computer equipment and storage medium |
| CN109857479A (en) * | 2018-12-14 | 2019-06-07 | 平安科技(深圳)有限公司 | Interface data processing method, device, computer equipment and storage medium |
| CN110598426A (en) * | 2019-08-14 | 2019-12-20 | 平安科技(深圳)有限公司 | Data communication method, device, equipment and storage medium based on information security |
-
2020
- 2020-03-05 CN CN202010148232.7A patent/CN111475524B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140359302A1 (en) * | 2013-05-30 | 2014-12-04 | Dell Products L.P. | System and Method for Intercept of UEFI Block I/O Protocol Services for BIOS Based Hard Drive Encryption Support |
| CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
| CN108509805A (en) * | 2018-03-21 | 2018-09-07 | 深圳天源迪科信息技术股份有限公司 | Data encrypting and deciphering and desensitization runtime engine and its working method |
| CN108804644A (en) * | 2018-06-05 | 2018-11-13 | 中国平安人寿保险股份有限公司 | Interface log storing method, device, computer equipment and storage medium |
| CN109857479A (en) * | 2018-12-14 | 2019-06-07 | 平安科技(深圳)有限公司 | Interface data processing method, device, computer equipment and storage medium |
| CN110598426A (en) * | 2019-08-14 | 2019-12-20 | 平安科技(深圳)有限公司 | Data communication method, device, equipment and storage medium based on information security |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221152A (en) * | 2021-05-31 | 2021-08-06 | 中国农业银行股份有限公司 | Data processing method, device, apparatus, storage medium, and program |
| CN115085903A (en) * | 2022-06-16 | 2022-09-20 | 平安普惠企业管理有限公司 | Data encryption and decryption method, device, equipment and medium based on encryption algorithm |
| CN115134152A (en) * | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | Data transmission method, data transmission device, storage medium, and electronic apparatus |
| CN114915495A (en) * | 2022-07-05 | 2022-08-16 | 浙江华东工程数字技术有限公司 | Message encryption and decryption method supporting multi-algorithm switching |
| CN115643063A (en) * | 2022-10-12 | 2023-01-24 | 平安银行股份有限公司 | Message data processing method and device, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111475524B (en) | 2024-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111475524A (en) | Data processing method and device based on interceptor and computer equipment | |
| US9461819B2 (en) | Information sharing system, computer, project managing server, and information sharing method used in them | |
| TWI598814B (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware | |
| US7545931B2 (en) | Protection of application secrets | |
| US9098715B1 (en) | Method and system for exchanging content between applications | |
| US10440111B2 (en) | Application execution program, application execution method, and information processing terminal device that executes application | |
| US20140040622A1 (en) | Secure unlocking and recovery of a locked wrapped app on a mobile device | |
| CN107528865B (en) | File downloading method and system | |
| CN108200078B (en) | Downloading and installing method of signature authentication tool and terminal equipment | |
| JPWO2003050662A1 (en) | Software safety execution system | |
| CN111274611A (en) | Data desensitization method, device and computer readable storage medium | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN204360381U (en) | mobile device | |
| US20090150680A1 (en) | Data Security in Mobile Devices | |
| CN115758420A (en) | File access control method, device, equipment and medium | |
| JP4765812B2 (en) | Information processing system, client device, program, and file access control method | |
| CN114817957B (en) | Encrypted partition access control method, system and computing device based on domain management platform | |
| JP2003345664A (en) | Transmission device, data processing system, and data processing program | |
| CN112464259A (en) | ERP page acquisition method and device, computer equipment and storage medium | |
| CN110737910A (en) | Android log decryption management method, device, equipment and medium | |
| US20230013844A1 (en) | System and method for securing keyboard input to a computing device | |
| WO2010023683A2 (en) | A method and system for client data security | |
| CN116016167B (en) | Message processing method, device, storage medium and equipment | |
| CN113032042B (en) | Target file processing method, device and terminal equipment | |
| KR101000788B1 (en) | System of processing software based on web and method for protecting data thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |